Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-09 23:15:43 +01:00
Code Issues Packages Projects Releases Activity

Fix permission checks

Browse Source
This commit is contained in:
René Pfeuffer
2019-01-18 14:52:17 +01:00
parent 05f9483a9c
commit f781778908
3 changed files with 39 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
scm-webapp/src/main/java/sonia/scm/security/PermissionAssigner.java
View File

@@ -17,6 +17,7 @@ public class PermissionAssigner {
} }
public Collection<PermissionDescriptor> getAvailablePermissions() { public Collection<PermissionDescriptor> getAvailablePermissions() {
PermissionPermissions.read().check();
return securitySystem.getAvailablePermissions(); return securitySystem.getAvailablePermissions();
} }
@@ -37,6 +38,7 @@ public class PermissionAssigner {
} }
private Set<PermissionDescriptor> readPermissions(Predicate<AssignedPermission> predicate) { private Set<PermissionDescriptor> readPermissions(Predicate<AssignedPermission> predicate) {
PermissionPermissions.read().check();
return securitySystem.getPermissions(predicate) return securitySystem.getPermissions(predicate)
.stream() .stream()
.map(AssignedPermission::getPermission) .map(AssignedPermission::getPermission)
@@ -54,6 +56,7 @@ public class PermissionAssigner {
} }
private void adaptPermissions(String id, boolean groupPermission, Collection<PermissionDescriptor> permissions, Collection<AssignedPermission> existingPermissions) { private void adaptPermissions(String id, boolean groupPermission, Collection<PermissionDescriptor> permissions, Collection<AssignedPermission> existingPermissions) {
PermissionPermissions.assign().check();
List<AssignedPermission> toRemove = existingPermissions.stream() List<AssignedPermission> toRemove = existingPermissions.stream()
.filter(p -> !permissions.contains(p.getPermission())) .filter(p -> !permissions.contains(p.getPermission()))
.collect(Collectors.toList()); .collect(Collectors.toList());

16
scm-webapp/src/test/java/sonia/scm/security/DefaultSecuritySystemTest.java
View File

@@ -221,22 +221,6 @@ public class DefaultSecuritySystemTest extends AbstractTestBase
securitySystem.deletePermission(sap); securitySystem.deletePermission(sap);
} }
/**
* Method description
*
*/
@Test(expected = UnauthorizedException.class)
public void testUnauthorizedGetPermission()
{
setAdminSubject();
createPermission("trillian", false,
"repository:*:READ");
setUserSubject();
securitySystem.getPermissions(p -> true);
}
/** /**
* Method description * Method description
* *

40
scm-webapp/src/test/java/sonia/scm/security/PermissionAssignerTest.java
View File

@@ -2,10 +2,12 @@ package sonia.scm.security;
import com.github.sdorra.shiro.ShiroRule; import com.github.sdorra.shiro.ShiroRule;
import com.github.sdorra.shiro.SubjectAware; import com.github.sdorra.shiro.SubjectAware;
import org.apache.shiro.authz.UnauthorizedException;
import org.assertj.core.api.Assertions; import org.assertj.core.api.Assertions;
import org.junit.Before; import org.junit.Before;
import org.junit.Rule; import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.junit.rules.ExpectedException;
import sonia.scm.plugin.PluginLoader; import sonia.scm.plugin.PluginLoader;
import sonia.scm.store.InMemoryConfigurationEntryStoreFactory; import sonia.scm.store.InMemoryConfigurationEntryStoreFactory;
import sonia.scm.util.ClassLoaders; import sonia.scm.util.ClassLoaders;
@@ -22,6 +24,9 @@ public class PermissionAssignerTest {
@Rule @Rule
public ShiroRule shiroRule = new ShiroRule(); public ShiroRule shiroRule = new ShiroRule();
@Rule
public ExpectedException expectedException = ExpectedException.none();
private DefaultSecuritySystem securitySystem; private DefaultSecuritySystem securitySystem;
private PermissionAssigner permissionAssigner; private PermissionAssigner permissionAssigner;
@@ -32,10 +37,14 @@ public class PermissionAssignerTest {
securitySystem = new DefaultSecuritySystem(new InMemoryConfigurationEntryStoreFactory(), pluginLoader); securitySystem = new DefaultSecuritySystem(new InMemoryConfigurationEntryStoreFactory(), pluginLoader);
securitySystem.addPermission(new AssignedPermission("1", "perm:read:1")); try {
securitySystem.addPermission(new AssignedPermission("1", "perm:read:2")); securitySystem.addPermission(new AssignedPermission("1", "perm:read:1"));
securitySystem.addPermission(new AssignedPermission("2", "perm:read:2")); securitySystem.addPermission(new AssignedPermission("1", "perm:read:2"));
securitySystem.addPermission(new AssignedPermission("1", true, "perm:read:2")); securitySystem.addPermission(new AssignedPermission("2", "perm:read:2"));
securitySystem.addPermission(new AssignedPermission("1", true, "perm:read:2"));
} catch (UnauthorizedException e) {
// ignore for tests with limited privileges
}
permissionAssigner = new PermissionAssigner(securitySystem); permissionAssigner = new PermissionAssigner(securitySystem);
} }
@@ -46,6 +55,21 @@ public class PermissionAssignerTest {
Assertions.assertThat(permissionDescriptors).hasSize(2); Assertions.assertThat(permissionDescriptors).hasSize(2);
} }
@Test
public void shouldFindGroupPermissions() {
Collection<PermissionDescriptor> permissionDescriptors = permissionAssigner.readPermissionsForUser("1");
Assertions.assertThat(permissionDescriptors).hasSize(2);
}
@Test
@SubjectAware(username = "trillian", password = "secret")
public void shouldNotReadUserPermissionsForUnprivilegedUser() {
expectedException.expect(UnauthorizedException.class);
permissionAssigner.readPermissionsForUser("1");
}
@Test @Test
public void shouldOverwriteUserPermissions() { public void shouldOverwriteUserPermissions() {
permissionAssigner.setPermissionsForUser("2", asList(new PermissionDescriptor("perm:read:3"), new PermissionDescriptor("perm:read:4"))); permissionAssigner.setPermissionsForUser("2", asList(new PermissionDescriptor("perm:read:3"), new PermissionDescriptor("perm:read:4")));
@@ -54,4 +78,12 @@ public class PermissionAssignerTest {
Assertions.assertThat(permissionDescriptors).hasSize(2); Assertions.assertThat(permissionDescriptors).hasSize(2);
} }
@Test
@SubjectAware(username = "trillian", password = "secret")
public void shouldNotOverwriteUserPermissionsForUnprivilegedUser() {
expectedException.expect(UnauthorizedException.class);
permissionAssigner.setPermissionsForUser("2", asList(new PermissionDescriptor("perm:read:3"), new PermissionDescriptor("perm:read:4")));
}
} }